Skip to content

Consider freezing Object.prototype for security reasons #18839

Closed
@andvgal

Description

@andvgal
  • Version: any
  • Platform: any
  • Subsystem:

THE PROPOSAL:

  1. Add Node.js CLI option to control freezing of Object.prototype on startup
  2. As possible, emit a deprecation warning whenever Object.prototype is modified.
  3. Over time (e.g. Node.js v11+), enable freezing of Object.prototype by default.

JUSTIFICATION:

The issue formalizes proposal/discussion started here: https://www.reddit.com/r/node/comments/7y341t/quick_cve20183721_proto_from_jsonparse_mitigation/

  • It's a known poor practice to modify Object.prototype in production code.
  • There are known vulnerabilities related to overriding of __proto__ properties under some conditions.
    • There are also plenty of closed Node.js issues one or another way related to the problem.
  • Packages which override toString(), valueOf() or other standard names require just minor modifications.
    • e.g. use ofObject.defineProperty(), assigning a new object to class .prototype with the key already defined or other variation.
  • There are known popular libraries like should.js which will break:
    • users can fallback to old behavior through the command line option described above
    • users can migrate to expect/assert or other assertion interface
  • As Node.js has already seen Promise-related enforcements, why not to do that for Object.prototype as well?

Metadata

Metadata

Assignees

No one assigned

    Labels

    feature requestIssues that request new features to be added to Node.js.securityIssues and PRs related to security.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions